This menu offers the possibility to group several appliances in a cluster (see also Clustering Multiple Systems).
Sections on this page:
•Add this device to existing cluster
•Add this device as frontend server (no local database)
The behaviour of the cluster (e.g. active/active, active/passive and so on) depends strongly on the system settings (among others, please refer to System IP ALIAS addresses and SMTP load balancer).
Machines that are added to the cluster adopt the settings of the base machine. This means that any settings already made will be overwritten.
The synchronisation in the cluster does not include the menu items containing machine-related data, such as System, , SSL, the root certificate from CA, Logs and Statistics.
|
If LFT (see also Home licence Large File Transfer (LFT) licenses and GINA Domains Domains Large File Transfer) is used, the additional LFT memory must be provided on all cluster partners (including frontend systems). |
|
For the formation of a cluster, it is essential that the machines •have the same firmware version (see Home System Firmware version) •have NTP enabled and use the same NTP server (pool) (see System Advanced view Time and date Set remote NTP server) |
|
If a load balancer is connected upstream of the cluster, it is imperative to ensure that a fixed assignment of source and destination IP address is set up at this load balancer. This ensures that, especially in the case of GINA access the requests of a session always are routed to the same cluster member. Otherwise, session aborts would be the result. |
Column |
Description |
|---|---|
|
(new in 12.1) |
Password entry to protect the private key. |
Download cluster identifier downloads the certificate and/or key pair for establishing the SSH connection from the future cluster partner to the base machine. This file is usually called "clusterid.txt". This means that this action is performed on the machine from which the settings are to be adopted. |
|
|
If several machines are to be added to a cluster, this must happen one after the other. If several machines are added in parallel, the configuration may be lost! |
Section Add this device to existing cluster
This section only appears if the SEPPmail Secure E-Mail Gateway has not already been integrated into a cluster, and is used for adding it to a cluster.
|
|
Parameters |
Description |
|
|---|---|---|
Via the browser button "Select file" select the certificate of the basic machine required for the SSH connection "clusterid.txt" (see section Prepare For Cluster). |
||
At this point, the physical IP address (no alias!, that means no virtual address) of the base machine via which the cluster communication is to take place and the port to be used (port 22 is the default for the SSH protocol) are specified. |
Entering a Port is only necessary if port mapping is implemented on an intermediate component (for example a firewall). The Cluster member IP always listens on port 22 SSH (default entry). |
|
Here, the physical IP address (no alias!, that means no virtual address, see System IP ALIAS addresses) of this machine via which the cluster communication should take place and the port to be used (must be identical to the one entered under Cluster member IP ) is specified. |
||
Clicking the Start button adds the machine to the cluster. |
||
This section only appears if the SEPPmail Secure E-Mail Gateway is already part of a cluster. In this case, all full cluster partners - that means only backend machines - are listed with the following data:
Column |
Description |
|---|---|
Displays the "Device ID" of the respective cluster partner. A remote cluster partner can be removed by clicking on the "Device ID". This opens another menu in which the server can be removed with the Remove device from cluster button. The database remains on the remote system in the last synchronised version. The local machine is removed from the cluster as described in the section Remove from cluster. |
|
Displays the "IP address" of the respective cluster partner which has been configured for the cluster communication. |
|
Displays the communication port (port 22 is the default for the SSH protocol) |
|
If the cluster is working correctly, the following is written here "OK (XXXX entries in remote database, XXXX entries in local Database)" whereby the number "XXXX" should be identical. |
|
Displays the comment defined for the cluster partner (see System Comment) |
|
Displays the location defined for the cluster partner (see System Comment) |
|
|
(new in 13.0.0) |
Displays the Firmware version of the respective Device ID |
|
(new in 13.0.0) |
Displays the time of the last synchronisation of the respective Device ID with the cluster association. The display is static and is therefore only updated again when the menu is called up again. |
This section only appears if the SEPPmail Secure E-Mail Gateway is already part of a cluster.
By clicking the remove this device from cluster button, the machine is removed from the cluster. The local database remains unchanged and has the status of the last synchronisation in the cluster.
(new in 13.0.5)
This section only appears if the SEPPmail Secure E-Mail Gateway is already part of a cluster.
With this setting you can allow this cluster member to inject mails on the selected cluster members.
This is mainly important for bypass LFT systems and for the SMTP Loadbalancer
The synchronisation of stored LFT attachments will only be done to the selected members.
Column |
Description |
|---|---|
(if available) Select one or more frontend cluster members. |
|
(if available) Select one or more backend cluster members. |
(new in 13.0.0)
This section only appears if the SEPPmail Secure E-Mail Gateway is already part of a cluster. In this case, all cluster partners (including the frontend machines) are listed with the following data:
Column |
Description |
|---|---|
Displays the "Device ID" and the "UUID" of the respective cluster partner, with a unique colour code. |
|
For each backend machine, a unique number is displayed. For each frontend machine, an "F" followed by brackets with the unique numbers of connected backend machines is displayed (see also Add additional backend). |
|
Displays the hostname of the respective machine (see Hostname). |
|
Displays the "IP address" of the respective cluster partner which has been configured for the cluster communication. |
|
Displays the communication port (port 22 is the default for the SSH protocol) |
|
For frontend machines, the backend machines with their Device ID /UUIDare displayed (see also Add additional backend). |
|
For backend machines, the connected frontend machines with their Device ID /UUIDare displayed. |
|
Displays the comment entered for the respective Device ID /UUID (see Comment) |
|
Displays the location entered for the respective Device ID /UUID (see Comment) |
|
Displays the Firmware version of the respective Device ID /UUID |
|
Displays the time of the last synchronisation of the respective Device ID /UUID with the cluster association. The display is static and is therefore only updated again when the menu is called up again. |
|
|
If a cluster partner has been permanently switched off, its entry (Device ID /UUID) can be removed via the symbol If the entry of an active cluster partner (also frontend machines!) is removed, it usually reappears on its own after one minute. |
(new in 13.0.0)
This section only appears if the SEPPmail Secure E-Mail Gateway is already part of a cluster. In this case, all full cluster partners - that means only backend machines - are listed with the following data:
Column |
Description |
|---|---|
Displays the "Device ID" and the "UUID" of the respective cluster partner with its unique colour code (see Cluster Setup Device ID /UUID). The machine on which the menu is opened is displayed in bold. |
|
Displays which cluster partner (Cluster No.) last made a change to the database (LDAP) and when. |
Section Add this device as frontend server (no local database)
This section only appears if the SEPPmail Secure E-Mail Gateway has not already been integrated in a cluster. It is used to add the machine as a frontend server to another machine or cluster. A frontend server is a cluster partner without a local database.
If, due to revision specifications, the SEPPmail Secure E-Mail Gateway must be placed in a DMZ (see also GINA Satellite) in which no data storage – in this case primarily key material – is permitted, this function can be used to separate the database system (backend) from the email processing system (frontend). This variant is also frequently used to separate the GINA part.
In this case, the frontend server only receives the data which is currently required for processing an email from the backend server. The backend server is located outside of the DMZ and stores the data in its database.
Frontend servers are not displayed in the section Cluster members of the backend systems.
Parameters |
Description |
|---|---|
Via the browser button "Select file" select the certificate of the basic machine required for the SSH connection "clusterid.txt" (see section Prepare For Cluster). |
|
At this point, the IP address of the backend machine via which the cluster communication is to take place and the port to be used (port 22 is the default for the SSH protocol) are specified. If a "backend cluster"has been created, a virtual IP address can be used here (see System IP ALIAS addresses). However, it is also possible to add further backend servers to the frontend machine later (see section Add additional backend) if no virtual IP address is available. |
|
Clicking the Start button adds the machine to the cluster. |
|
The frontend only requires the communication with the backend via port 22 SSH and the corresponding Server IP Address (see Mail System Managed Domains) via port 25 SMTP. |
|
(changed in 12.0) After changes in the menus GINA Domainsand/or Mail Processing, these must be applied separately again on each frontend (Save / Generate ruleset). Changes in the configuration of the backend system become active at the frontend system with a delay of up to ten minutes. |
This section only appears if the SEPPmail Secure E-Mail Gateway is already part of a cluster as a frontend server. In this case, all backend servers are listed with the following data:
Column |
Description |
|---|---|
Displays the "IP address" of the respective LDAP (backend) machine. To remove an LDAP (backend) server, click on the IP address. This opens another menu in which the server can be removed with the Remove device from cluster button. The local machine as frontend server is removed as described in the section Detach from LDAP server. |
|
Displays the communication port (port 22 is the default for the SSH protocol) |
|
If the cluster is working correctly, the following is written here "OK (XXXX entries in remote database)" |
Section Detach from LDAP server
Clicking the Detach button removes the SEPPmail Secure E-Mail Gateway as frontend server. This creates an empty local database on the system.
Section Add additional backend
If several backend servers from a backend cluster are to be used for LDAP requests without a virtual IP address having been provided for this purpose, every backend server can be integrated separately using this option.
Parameters |
Description |
|---|---|
At this point, the physical IP address of another backend machine and the port to be used (port 22 is the default for the SSH protocol) are specified. This allows a backend cluster to be connected on a fail-safe basis without using virtual IP addresses. |
|
Clicking the Start button adds the additional backend machine. |
Section Protect cluster identifier
(new in 13.0.0)
This section only appears if the SEPPmail Secure E-Mail Gateway is already part of a cluster. In this case, all cluster partners are listed with the following data:
Parameters |
Description |
|---|---|
By default, this option is inactive. By activating the option, the input field can be used to limit the use of the "Cluster identifier" (see also Prepare For Cluster) to the IP addresses entered here. A new line must be used for each IP address.
|
